[keycloak-user] OIDC Client dynamic registration

Виталий Ищенко betalb at gmail.com
Tue Sep 19 13:59:50 EDT 2017


Hi

I was playing with example from openid-client nodejs package, it has
examples with custom keys and key signing/encryption algorithms

Some registration requests fail with NPE exception like this
Caused by: java.lang.NullPointerException
  at org.keycloak.util.JWKSUtils.getKeyForUse(JWKSUtils.java:49)
  at
org.keycloak.services.clientregistration.oidc.DescriptionConverter.setPublicKey(DescriptionConverter.java:135)
  at
org.keycloak.services.clientregistration.oidc.DescriptionConverter.toInternal(DescriptionConverter.java:102)
  at
org.keycloak.services.clientregistration.oidc.OIDCClientRegistrationProvider.createOIDC(OIDCClientRegistrationProvider.java:74)

Registration request was following

{
    "post_logout_redirect_uris": [
        "http://localhost:3000/"
    ],
    "redirect_uris": [
        "http://localhost:3000/cb"
    ],
    "grant_types": [
        "authorization_code"
    ],
    "response_types": [
        "code"
    ],
    "userinfo_encrypted_response_alg": "ECDH-ES+A128KW",
    "jwks": {
        "keys": [
            {
                "kty": "EC",
                "kid": "pZtihA2ZjNh3qrPg3OUSZdpWatODXiUw_6ThWYqJ7gw",
                "crv": "P-256",
                "x": "qoBR4Zhj1RlMIF4TVfibVkApY1j2J1NdPUWTx_gKFlQ",
                "y": "cbZ3J1Y_OZXF0YhOerMVoqq5hRoe6G3xw21va5drqf0"
            }
        ]
    }
}

I overcome this issue by patching library and adding use: sig attribute to
jwks key, but it seems that this attribute is not required by spec
https://tools.ietf.org/html/rfc7517#section-4.2, and even if it is required
from app perspective, NPE should be replaced with something more meaningful

Other issues that I've faced after bypassing NPE -- registrations, that use
unsupported algorithms like above doesn't fail, is it correct behaviour?


More information about the keycloak-user mailing list